Skip links

Halil Kaskavalci

Create a certificate with CA chain

3 minute read

You bought a certificate from an authority. You deployed your application with
this certificate at example.com. You verified this with curl
https://example.com and it works great. You told your customer they can
connect.

Aaand they say your certificate is not trusted because your app does not provide
the full certificate chain. Whoa?

I am not a security expert so I won’t go into details of TLS certificates. But
I’ll show you how you can deploy your application with full certificate chain so
that your customer will stay happy.

Great! Our certificate is now trusted. If you deploy your application with this
certificate, which also includes CA chain, it will be trusted from clients.

Hey, wait. I did this and my certificate is still not trusted!

In this case, you either did not find the correct Root CA or your intermediate.
You probably received the intermediate certificate from your provider. If not,
check their website or ask for it. Procedure is simple, just append their
certificate to your certificate file. Test again with verify-ssl.sh tool.

It’s time to deploy!

You deployed your application. You want to verify if all is good. Let’s check it
with, you guessed it, openssl.

I skipped the certificates but it will print all certificates presented in the
certificate chain. Important bit is, Verify return code: 0 (ok). If you see
this, it means your certificate is rock solid and ready to be trusted!